Enabling Failover in J2EE Agents

The agent allows basic failover capabilities. This helps you ensure
that if the primary Access Manager instance for which the agent has been configured
becomes unavailable, the agent will switch to the next Access Manager instance
as specified in the J2EE agent AMAgent.properties configuration
file. This setup can be achieved by implementing the following steps.

To Enable Failover in J2EE Agents

Provide a list of Access Manager authentication services URLs that
may be used by the agent to authenticate users who do not have sufficient
credentials to access the protected resources.

Configure the following
property to create the list:

com.sun.identity.agents.config.login.url

You may specify more than one login URL as follows:

com.sun.identity.agents.config.login.url[0] =primary-AM-server

com.sun.identity.agents.config.login.url[1]
=failover-AM-server1

com.sun.identity.agents.config.login.url[2]
=failover-AM-server2

primary-AM-server

Represents the URL of the primary Access Manager instance to
which users are redirected for authentication.

failover-AM-server1

Represents the URL of the Access Manager instance to which
users are redirected for authentication if the primary Access Manager instance
fails.

failover-AM-server2

Represents the URL of the Access Manager instance to which
users are redirected for authentication if the primary Access Manager instance
fails and the first failover Access Manager instance fails.

If a URL list is provided to this property, com.sun.identity.agents.config.login.url, the agent first tries to establish a connection to the first server
(primary-AM-server) specified in the URL list.
If the agent is successful in establishing this connection, it redirects the
user to the Access Manager instance for authentication.

(Optional) Turn prioritization on for the failover
lists by setting the following property to true:

com.sun.identity.agents.config.login.url.prioritized

Note –

Setting this property to true turns prioritization
on for the login URL list and the CDSSO URL list. The two cases shown in this
step specifically mention the login URL list. However, this explanation of
prioritization is exactly the same for the CDSSO URL list. The final step
in this procedure describes how to create the CDSSO URL list in case such
a scenario applies to your site's deployment.

The following cases describe the behavior of the agent in different
situations: when you turn on prioritization and when you do not turn on prioritization
for the login URL list.

Case 1: com.sun.identity.agents.config.login.url.prioritized = true

A value of true means that priority is established
for the login URL list described in Step 1. The list was created by configuring
the following property:

com.sun.identity.agents.config.login.url

Therefore, the first URL on the list, which is abbreviated here as .url[0], has a higher priority than .url[1] and .url[1] has higher priority than.url[2] and so
on. If the server (primary-AM-server) specified
in this example as the value for .url[0] is running, the
agent sends all requests to this server only. However, if primary-AM-server fails, from that point on, subsequent requests are sent to
the server (failover-AM-server1) associated with .url[1]. Furthermore, if at some point primary-AM-server comes
back, then the subsequent requests from that point on are sent to primary-AM-server, since it takes priority over failover-AM-server1.
This mechanism always fails back to the highest priority Access Manager instance
among the Access Manager instances that are running at the point in time the
agent must redirect requests to an Access Manager instance.

Case 2: com.sun.identity.agents.config.login.url.prioritized
= false

In this case, no server takes priority over
another. Failover occurs in a round-robin fashion. If all the servers are
running, the agent sends requests to the server (primary-AM-server)
associated with .url[0]. If primary-AM-server goes
down then all subsequent requests are sent to the server (failover-AM-server1) associated with .url[1]. The agent keeps
sending the requests to failover-AM-server1 unless
that server goes down. If failover-AM-server1 does
go down then the agent routes all the subsequent requests to the server (failover-AM-server2) associated with .url[2] until
it goes down. If it goes down, the agent tries to connect to primary-AM-server once again. Assuming that by then the primary-AM-server is running, all the subsequent requests from then on are sent
to primary-AM-server. This is a simple round-robin
mechanism without any priority involved.

Provide a list of Access Manager Naming Service URLs that may be
used by the agent to get access to the various other service URLs that may
be needed to serve the logged on user.

This can be done by using
the following property:

com.iplanet.am.naming.url

More than one naming service URL may be specified as a space delimited
list of URLs. The following example illustrates this idea:

com.iplanet.am.naming.url=primary-AM-serverfailover-AM-server1

(Conditional) If the deployment consists of an agent instance
that is on a different domain than multiple Access Manager instances for which
you want to enable failover, provide a URL list of the remote Access Manager instances.